There's a slightly confusing discrepancy in SECTRACK:1017130 and
BID:20768, in which the description mentions the "id" parameter.
However, the raw source, included verbatim in the SECTRACK, provides
an exploit using the action parameter.
I dug up the source code and figured out that both vectors are valid.
In version 1.4 from sourceforge, dated 2003, change_pass.php has:
> <input type="hidden" name="email" value="<?=$HTTP_GET_VARS['id']?>">
So, that's the "id" vector.
And, for $action we have:
if($action=="1")
{
...
}
else
{
?>
<form method="post" action="<?=$PHP_SELF?>" name="mem_change_form" onSubmit="return Validate();">
So, as long as action is not "1", the query string is dumped into the
form. This takes care of the action parameter, in the sense
that it's not "1" and is part of the query string.
I don't know what the original researcher's intention was with listing
the Validate() function. It doesn't seem to contain any of that
DOM-based XSS stuff, and it's only activated when the user presses
Submit.
There might be some other issues elsewhere in the code, such as where
action is 1, but I didn't investigate further.
- Steve